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Introduction 

Many problems in computer science, in particular those arising in the context of 
program analysis, involve the computation of a least (or, dually, greatest) fixpoint 
of a system of equations. In this paper, we consider a way to compute a least 
fixpoint when the equations involved are over the booleans. In some important 
cases, the resulting computation can be significantly shorter than the computation 
that iteratively evaluates the entire system until a fixpoint is reached. 

Let us begin with an overview of our result. We restrict our attention to a 
finite lattice. A finite lattice is a complete lattice and has no infinite ascending 
chains, and any monotonic function on such a lattice is also continuous. Hence, 
the Kleene Fixpoint Theorem [2] states that the least fixpoint of any monotonic 
function F is the lattice join of the sequence of elements 

F'{±), F\±), F'{±), ... 

where exponentiation denotes successive function applications and ± denotes the 
bottom element of the lattice. Because this sequence is ascending and because the 
lattice is finite, there exists a natural number K such that 

is the least fixpoint of F . We call the least such K the fixpoint depth of F . 

If we are able to evaluate function F and if we are able to determine whether 
two given lattice elements are equal, then we can compute the least fixpoint of 
F : starting from the value _L , repeatedly apply F until the application of F 
leaves the value unchanged. The existence of a fixpoint depth guarantees that 
this process terminates. In this paper, we consider the problem of computing an 
expression for the least fixpoint, without computing the value of the expression. 
By first computing a small expression for the least fixpoint, we can relegate the 
computation of the value of the expression to an external tool such as a SAT solver 
[3] . In the sequel we therefore do not assume that we are able to compute the value 
of an expression into a particular lattice element. 

The fixpoint depth of a function F on a lattice is bounded by the height of the 
lattice. Therefore, for the 2-element lattice B of the booleans (which has height 
1), the least fixpoint of F is given by F{1) , and for the 2" -element lattice B" 
that is the Cartesian product space of n booleans (which has height n ), the least 
fixpoint of F is given by F"(_L) . 
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Any function F:B" — > B" can be represented isomorphically by n functions 
/j:B" ^B. We write 

F = (/!,...,/„) 

where the tuple of functions is itself defined to be a function, as follows, for any 
-tuple X ofbooleans: 

= (MX), ...,ux)) 

For example, let n = 3 and let F — {f,g,h). Then, the least fixpoint of F 
equals ±, _L) , as we have argued above. In terms of the functions f,g,h, 

this expands to: 







h{±,±,±)) 




9i^,^,^) 


h{±,±,±)) 




, ^(^,^,^) 
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g{f{f{±,±,±) 


9{^,^,^) 


h{±, ±, ±)) 




9i±,±,l-) 


h{±,±,±)) 




, 9i^,^,^) 


, h{±,±,±)) 


h{f{f{±,±,±) 


9{^,^,^) 












, 9{^,^,^) 





)) 



We refer to this closed form of the fixpoint as the Expanded Closed Form. A 
different way to write down the Expanded Closed Form, which shares common 
subexpressions, is: 

let ai= ±, a2= -L, a3= -L in 

let bi= f{ai, a2, as), 62= ^(ai, 02, as), h= h{ai, 02, as) in 

let ci= f{bi, 62, h), oz^ gih, h), C3= h{bi, 62, ^Ja) in 

let di= /(ci, C2, C3), (^2= g{ci, C2, C3), ^3= /i(ci, C2, C3) in 
(c?i, 4, ds) 

This representation is cubic in n , which means that computing it may take time 

and space that is cubic in n .* 

*If we allow ourselves to write functions of n arguments as functions over n -tuples, then we 
can obtain a quadratic representation. For example, with n = 3 , we have let ai = . . . , 02 = 
. . . , 03 = ... in let a = (ai, 02, 03) in let 61 = /(a), 62 = g{a), = h{a) in let h = 
{h, h, 63) in .... 
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Let us consider another closed form, which we call the Pruned Closed Form. 
In the Pruned Closed Form, an application of a function is replaced by _L if 
it occurs in another application of the same function /j . For the example above, 
where n = 3 , the Pruned Closed Form is: 

(/(^, 

h{±, g{±,±,±), ± )), 
gifi±, ±, h{±,±,±)), 

^, 

h{±, ±, ± )), 

h{f{±, ± ), 

9{^: ^, ^ ), 

^ )) 

If we do not have any interpretation for the functions fi — in other words, if 
each fi is just a symbolic name for an uninterpreted function — then the cubic- 
sized Expanded Closed Form may be a reasonably small closed-form representa- 
tion of the fixpoint. The Pruned Closed Form is generally much larger than cubic 
in n : for every subset S of /2, ...,/„ , function /i appears expanded in a con- 
text where the set of enclosing functions is S . (A smaller Pruned Closed Form 
can be obtained by taking advantage of common subexpressions.) However, there 
are cases where the Pruned Closed Form can be significantly smaller than the Ex- 
panded Closed Form, for example when the fixpoint computation is dominated 
by the computation of local fixpoints, meaning fixpoints that involve only a small 
number of the functions. An important situation in program analysis where this 
case applies is when each function represents a control point in a given program, 
a function is defined in terms of the functions corresponding to the successor (or 
predecessor) control points, and the given program contains many local loops. 

For example, suppose 

f(x,y,z) = f(x,y) g(x,y,z) = q(x) h{x,y,z) = i)(y,z) 

for some functions f , , and f) . Then the Expanded Closed Form is 

let (21= ±, (22= -L, (13= -L in 

let 61= f(ai, 02), 62= s(ai), ^3= f)(a2, as) in 

let ci= f(&i, &2), C2= g{bi), 03= i){b2, 63) in 

let di= f(ci, C2), 4= £|(ci), 4= f)(c2, C3) in 
{di, d2, rfs) 
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In contrast, the Pruned Closed Form yields the much shorter expression 

0(fa,^)), 
f)(0(f(^,^)), 
^)) 

More generally, for an even n , suppose fi{xi, . . . ,Xn) is ji{xi, Xj+i) when i is 
odd and fi{xi-i^Xi) when i is even. Then the Expanded Closed Form is still 
cubic, whereas the Pruned Closed Form is the linear-sized expression 

( fi(±,f2(±,±)), f2(fl(±,±),±), 

f„_i(±,f„(±,±)), f„(f„_i(±,±),±) 

) 

In the rest of this paper, we define the Pruned Closed Form more precisely and 
prove that it yields the same value as the Expanded Closed Form. 

1 Using the Bekic-Leszczytowski Theorem 

In this section, we sketch how to obtain the Pruned Closed Form by applications 
of the Bekic-Leszczylowski Theorem [1,4]. 
We write 

{ix» R{x) ) 

for the lattice meet of all values for x that satisfy the predicate R{x) . For any 
monotonic function F , we then write 

( i a; . x = F{x) ) (0) 

to denote the least fixpoint of F , because the Tarski Fixpoint Theorem [5] says 
that the meet of all fixpoints is itself a fixpoint. Using for a function F: B" — > 
B" the isomorphic representation of n functions /j: B" — > B , we can write (0) 
equivalently as: 

{iXi,...,Xn» Xi = fl{xi, . . . , Xn) A 

: A 

•^n — fn{-^l: • • • ) ■^n) ) 
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We can now state the Bekic-Leszczylowski Theorem [1, 4], for any monotonic 
functions F and G (possibly over different lattices): 

( i a, 6 • F{a,b) A G{a,b)) 

( i a, 6 • a^F{a,b) Ab^iib* b^ G{a,b))) 

Note that each side of the equality expresses a fixpoint in the lattice B" if F and 
G are functions of types x B« ^ B*' and B*' x B« ^ B« , respectively, for p 
and q such that p + q = n . 

A consequence of the Bekic-Leszczylowski Theorem and the Kleene Fixpoint 
Theorem for a known fixpoint depth is the following lemma: 

Lemma For any lattice domain A and monotonic functions i^: A x B — > A 
and G: A X B ^ B, 

{ia,b» a = F{a,b) Ab = G{a,b) ) 
( i a, 6 • a = F{a, b) A b ^ G{a, ±) ) 

Proof. 

{ia,b» a = F{a, b) A b = G{a, b) ) 
= { Bekic-Leszczylowski Theorem } 

{ia,b* a = F{a,b) A b = {ib* b=G{a,b))) 

— { ( A 6 • G{a, b) ) is a function on B , and 

therefore its fixpoint depth is at most 1 , and 
therefore ( i ^(a, 6) ) = G(a,±) } 

{ia,b» a = F{a,b) A b= G{a,±)) m 

Using Lemma 0, we now show that the Pruned Closed Form is indeed the least 
fixpoint in B^ . For any monotonic boolean functions / and g : 

iia,b* a^fia,b) A b^g{a,b)) (1) 
= { Lemma with F,G :=/,§ } 

{ia,bm a = f{a,b) A b = g{a,±) ) 
= { substitute equals for equals } 

{ia,b» a = f{a,g{a,l.)) A b^g{a,±)) 

— { Lemma with 

G,F:={Xa,b. f{a,g{a,l.))),{Xa,b* g{a,±)) } 
(ia,6. a^f{±,g{±,±)) A b^g{a,±)) 
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This calculation shows that an expression for the least solution of a in equation 
(l)is 

By a symmetric argument, an expression for the least solution of b in equation 
(l)is 

That is, an expression for (1) is 

( f{±,g{±,±)), 9{f{±,±),±) ) 

which is the Pruned Closed Form. 

Using the result for , we can show that the Pruned Closed Form is also the 
least fixpoint in . For any monotonic boolean functions f , g , and h : 

{la,b,c» a = f{a,b,c) A b = g{a,b,c) A c = h{a,b,c)) (2) 
= { Lemma with G := h (and with F as the isomorphic 

representation of functions / and g) } 
( J, a, 6, c • a—f{a,b,c) A b — g{a,b,c) A c — h{a,b,l.)) 

— { substitute equals for equals } 

{la,b,c» a = f{a,b,c) A b = g{a, b, h{a, b, 1.)) A c = h{a,b,±)) 

— { Lemma with G := ( A a, 6, c • g{a, b, h{a, b, _L)) ) } 

( J, a, 6, c • a — f{a,b,c) A b — g{a, ±, h{a, ±, ±)) A c — h{a,b,l.)) 

— { substitute equals for equals } 

(ia, &, c» a = f{a, ^(a, ±, /i(a, _L, _L)), c) A 

b = g{a, ±, h{a, ±, ±)) A c = h{a, b, ±) ) 
= { the first 3 steps of this calculation, in reverse order } 

(ia,6,c« a^f{a, y(a, _L, /i(a, _L, ±)), c) A 
b — g{a, b, c) A c — h{a, b, c) ) 
= { Lemma with G := g } 

(ia, 6, c» a = f{a, g{a, h{a, J.)), c) A 
b = g{a, ±, c) A c = h{a, b, c) ) 
= { substitute equals for equals } 

( i a, &, c • a = /(a, g{a, _L, h{a, _L, _L)), c) A 

b = g{a, _L, c) A c = h{a, g{a, ±, c), c) ) 
= { Lemma with G :— {Xa,b,c» h{a, g{a, ±, c), c) ) } 
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(ia,6,c« a^f{a, g{a, ±, h{a, ±, c) A 

b = g{a,J., c) A c = h(a, g{a, ±, ±), ±) ) 
= { substitute equals for equals } 

{ia,b,c» a=f{a, ^(a, _L, /i(a, ±, ±)), h{a, g{a, J., 1.), 1.)) A 
b = g{a,L, c) A c = /i(a,^(a,±,±),±) ) 
= { Lemma with G := 

{Xa,b,c» f{a, g{a, h{a, L, L)), h{a, g{a, 1.), 1.)) ) } 
( i a, 6, c . a = f{±, g{±, ±, ±, ±)), ^(X, ±, ±), ±)) A 
b = gia, ±, c) A c = h{a, g{a, ±, ±), ±) ) 

This calculation shows that an expression for the least solution of a in (2) is 

f{±, g{±,±,h{±,±,±)), h{±,g{±,±,±),±)) 

and similarly for b and c . 

Our main result is that the Pruned Closed Form is the least fixpoint in B" for 
any n . In the next section, we prove this result directly, not using Lemma 0. 

2 The theorem 

We are given n > 1 monotonic functions /i, ...,/„: B" B , where B is the 
boolean domain {0,1} ordered by < (with < 1). To represent an indexed 
n -tuple of things, like a list of booleans xi, . . . , a;„ , we write it . The fact that 
the given functions are monotonic is written as follows, for any index i and any 
tuples of booleans it and ~^ : 

^ ^ T ^ fi-^ < fflf 

where an infix dot (with the highest operator precedence) denotes function appli- 
cation, and the order ^ is the component- wise ordering of tuples: 

= Xi<yi) 

We are interested in viewing the functions as specifying a system of equations, 
namely: 

Xi , . . . , Xn ■ X^ /i . ( Xi , • • • J Xn ) 

(3) 
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where the variables to the left of the colon show the unknowns. We take a tuple of 

functions (/i, ...,/„), which we can also write as / , to itself be a function, one 
which produces a tuple from the results of applying the given argument to each of 
the functions. For example, for the functions given above and an argument , 
we have: 

Thus, we can write the system (3) of equations as: 

^ : ^ = 

We are interested in the least (in the sense of the ordering ^ ) solution it that 
satisfies this equation. That is, we are interested in the least fixpoint of the function 
/ . Because the lattice of boolean n -tuples has height n , the least fixpoint of / 
can be reached by applying / n times starting from the bottom element of the 
lattice. That is, the least fixpoint of / is given by: 

where exponentiation denotes successive function applications and if is the tuple 
of n O's. 

To precisely specify the Pruned Closed Form, we introduce a notation that 
keeps track of which functions have been applied in the enclosing context. In 
particular, we use a set that contains the indices of the functions already applied. 
Formally, we define the following family of functions, for any index i and set S 
of indices: 



9s,: 



fi ° {gSU{i},l, 9SU{i},n) Hi ^ s 

(\lt»Q) ifteS 



Taking advantage of our previous notation and using 6 to denote the function that 
always returns (that is, the boolean extended pointwise to a boolean function), 
we can write the definition of g as follows: 

Our goal is now to prove the following: 
Theorem 1 ^.if = T'^-O' 
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3 Proof 

We start by proving some lemmas that we use in the proof of this theorem. 
Lemma 2 For any index i and for any S ^ {l,...,n}. 

Proof. By induction on n — \S\. Let T denote S\J{i} . We consider three cases. 
Case i e S : 

— { definition of g , since i E S } 

— { definition of 6 } 


< { is bottom element of < } 

^n-\S\-l ^ 

Case i ^ S a \T\ <n: 

— { definition of g , since i ^ S } 

{fiog^).t 

= { distribute .if } 

< { for each index j , induction hypothesis with i,S :— j, T , since 

\S\ + 1 = \ T\ < n; and monotonicity of f } 

jmor-'"'\t, ....(/„ °r-"''-^^) 

= { distribute . } 

— i>n-|5|-2 -^n-\S\-2^^ _> 

(/io(/iO / -••'/"° / ))-0 

= { distribute of } 

{fio{A, ...,/„)o7"""""').o' 

= { exponentiation } 

[fi o / )• 
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Case i ^ S a \T\^n: 
9s, i-'^ 

— { see first 3 steps of previous case } 

— { for each index j , j E T ,so gxj = } 

— { l^l = n — 1 , SO /"-I'S'l-i is the identity function } 

The following corollary of Lemma 2 proves one direction of Theorem 1. 
Corollary 3 ^ 

Proof. 

(^0,1- O", . . . , ^0,„."(f) 

^ { for each index j , Lemma 2 with i,S:=j,^ } 

— { distribute . and of } 
= { exponentiation } 

To support the remaining lemmas, we define one more family of functions. 
For any index i and set S of indices. 



6 ifieS 



Lemma 4 For any index i, monotonic function //:B" — > B", and m > 0, 
(/,o//™).0' = ^ (Vp I 0<p<m. (/,oiJ^')."0' = 0) 

Proof. We prove the term of the quantification as follows: 
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{fioHP).0 ^ ^ 

< { monotonicity of /j and H , since if ^ iJ™~^'.lf } 

{f,oHP).{H^-P.t) 

— { antecedent } 
■ 

Lemma 5 For any index i , set S of indices, m > , and T = S U {i} , 

{fioh^s^)-'^ = =^ (Vj9|0<j9<m« ^^.If = /i?^.lf ) 

Proo/ If i e S , then S = T and the consequent follows trivially. For i ^ S , 
we prove the term of the quantification by induction on p . 
Case p = : Trivial — exponentiation with gives identity function. 
Case p > : 

— { exponentiation, since p > } 
= { distribute .(^^ .if) } 

— { for any index j , hsj.{hs^ .~^) — hT,j-{hs^ .if ), see below } 

= { distribute .{h^s^~ .if) } 

— { induction hypothesis with p:— p — 1 } 

— { exponentiation } 
/i^^.lf 

Now for the proof of the third step in the calculation above. If j ^ i , then 
j e S = j e r , so hsj = hrj . If i = i , then: 

— { definition of h , since i ^ S } 
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= { Lemma 4 with H,p:= hs, p — I , using the antecedent of 

Lemma 5 to fulfill the antecedent of Lemma 4 } 



= { definition of } 

— { definition of h , since i E T } 

We need one more lemma. 
Lemma 6 For any index i , set S of indices, and m satisfying < m < n—\S\ , 
{hs,^oh's"').t < gs,^.t (4) 

Proof. By induction on m . We consider three cases. 

Case i e S : 

— ¥m 

hs,i o hs 

— { definition of h , since i e S } 

— >m 
Oohs 

— { is left zero element of o } 

6 

= { definition of g , since i E S } 

9s,i 

Case i ^ S a m = : 

{hs,i o /is")- 
= { exponentiation, since m = } 

hs,i.t 

— { definition of h , since i ^ S } 

< { monotonicity of /j , since if ^ ^.if } 

— { definition of g , since t ^ S } 
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Case i ^ S a m > 0: It suffices to prove that the left-hand side of (4) is 
whenever the right-hand side is 0. Therefore, we assume the latter to be 0: 

9s,i.'^ = (5) 
and prove the former to be 0: 

= { definition of h , since i ^ S } 

(/,og").0' 
= { exponentiation, since m > } 

{fio{hs,i, hs,n)ohs"' )-'^ 

— >rn—l — > 

= { distribute o hs and . | 

< { (6), see below; and monotonicity of /j } 

— { definition of g , since i ^ S } 

— { assumption (5) } 



In this calculation, we used the following fact: for every index j , 

{hs,joh's"'~').t < gT,j.t (6) 

which we now prove. We divide the proof of (6) up into two sub-cases. 

Sub-case {hsj o /i^™ ).lf = : Formula (6) follows immediately. 

Sub-case {hsj o hs ).lf 7^ 0: First, we derive some consequences of 
assumption (5): 

=^ { induction hypothesis with S,i,m:— S,i,m — 1 } 

(/i5,iog"~')."0' = (7) 
= { definition of h , since i ^ S } 

{fioKs"''').t = 
=^ { Lemma 5 with m, p :— m — 1, m — 1 } 

= (8) 
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Now, calculating from the assumption we made in this sub-case: 

{ (V) } 

=^ { i ,so J e S = J e T ,so hs,j ^ hxj } 

{hrj o ^ 

{hT,j o ^If ^ 
=^ { induction hypothesis with 5, z, m := r,j, m — 1 } 

9T,j.t ^ 

=^ 

(6) 

This concludes the proof of Lemma 6. ■ 

And finally, the proof of the theorem: 
Proof of Theorem 1. The proof is a ping-pong argument. 

^ { Corollary 3 } 

/ "•"O' —ping! 
= { exponentiation, since n > 1 } 

= { distribute o / and . } 

= {by definition of h, hij,^i ~ fi for each index i ; and 

thus also h^ii = f } 

((/2<j,io7j" )."(f, (/i0^„o75" )."(f) 

^ { Lemma 6 with 5, i, m := 0, i, n — 1 for each ^ } 

(^0,1. If, ^0,„.^) 
= { distribute ."O^ } 

■ —pong! 

4 Related Work and Acknowledgments 

Our theorem has already found a use, namely in the translation of boolean pro- 
grams into satisfiability formulas [3]. 
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Before we knew of the Bekic-Leszczytowski Theorem, one of us (Kuncak) 
proved the theorem as detailed in Section 3. Tony Hoare then proposed a way to 
prove the theorem in a way that would eliminate recursive uses of variables, one 
by one. In doing this, Hoare also proved what essentially amounts to the Bekic- 
Leszczylowski Theorem, appealing only to the Tarski Fixpoint Theorem [5]. We 
elaborated this format in Section 1, to whose formulation Carroll Morgan also 
contributed. We learnt about the Bekic-Leszczylowski Theorem from Patrick 
Cousot. The theorem is often called simply the Bekic Theorem, but de Bakker [0] 
traces an independent proof thereof to Leszczylowski. Finally, we are grateful for 
feedback from the Eindhoven Tuesday Afternoon Club and the participants of the 
IFIP WG 2.3 meeting in Biarritz, France (March 2003). 
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